General
-
Target
8c724f7c5a4a79d908c4772142562b80fc5f355d90fb19f5dc2114d74673435b
-
Size
280KB
-
Sample
220923-asd17acff9
-
MD5
ec3bcf1af2579429d7e3b26801da43c5
-
SHA1
107e495cbb17267deb9b51f810c600e2155186e0
-
SHA256
8c724f7c5a4a79d908c4772142562b80fc5f355d90fb19f5dc2114d74673435b
-
SHA512
1b11bd7acf8ba1090a54c3bef2ec7e0cdad68a71b62f8e72cb74d3ca16d679e1b0da00b3b586b2b054872f946ded9aa3538099e80320bcfb8335bc9567ab43f1
-
SSDEEP
6144:MgDeW7W5LQQwSKr7AeWLLzk1u37jsoH0Mm9igavwVf:MgK6ysQwSKr7APSaS2
Static task
static1
Behavioral task
behavioral1
Sample
8c724f7c5a4a79d908c4772142562b80fc5f355d90fb19f5dc2114d74673435b.exe
Resource
win10-20220812-en
Malware Config
Extracted
redline
LogsDiller Cloud (Sup: @mr_golds)
77.73.134.27:8163
-
auth_value
56c6f7b9024c076f0a96931453da7e56
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
8c724f7c5a4a79d908c4772142562b80fc5f355d90fb19f5dc2114d74673435b
-
Size
280KB
-
MD5
ec3bcf1af2579429d7e3b26801da43c5
-
SHA1
107e495cbb17267deb9b51f810c600e2155186e0
-
SHA256
8c724f7c5a4a79d908c4772142562b80fc5f355d90fb19f5dc2114d74673435b
-
SHA512
1b11bd7acf8ba1090a54c3bef2ec7e0cdad68a71b62f8e72cb74d3ca16d679e1b0da00b3b586b2b054872f946ded9aa3538099e80320bcfb8335bc9567ab43f1
-
SSDEEP
6144:MgDeW7W5LQQwSKr7AeWLLzk1u37jsoH0Mm9igavwVf:MgK6ysQwSKr7APSaS2
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-